Gulp! Pepsi's Security Fizzles Exposing Sensitive Employee Data To Hackers In Malware Attack

hero pepsi data breach malware attack news
Pepsi Bottling Ventures (PBV) has suffered a major data breach, with hackers making off with a trove of sensitive information. The company has begun notifying affected individuals of this incident, but the details remain sparse. According to a sample of the security notice issued by PBV, unknown threat actors managed to infect the company’s internal IT systems with infostealer malware that siphoned personally identifiable information (PII) for almost a month.

PBV, which is a joint venture of PepsiCo and the multinational beverage company Suntory Group, boasts its status as the largest privately-held bottler of Pepsi-Cola products in North America. The company operates eighteen bottling and distribution facilities and provides beverages to buyers in North Carolina, South Carolina, Virginia, Maryland, and Delaware.

PBV first learned of unauthorized access to its internal systems on January 10 of this year. However, upon investigation, the company discovered that the threat actors initially breached its systems on or around December 23, 2022, and it wasn’t until January 19 that PBV fully shut the intruders out of its network. PBV has responded to the breach by reporting the incident to law enforcement, launching an investigation, implementing improvements to its internal security infrastructure, and requiring all company passwords to be changed.

The company is still investigating the incident but has so far determined that the threat actors stole the following information in the course of the cyberattack:
  • First and last names
  • Home addresses
  • Email addresses
  • Financial account information (including passwords, PIN codes, and other access numbers)
  • Driver license numbers, passport information, and other identification card info
  • Social Security numbers
  • Digital signatures
  • Benefits and employment information
  • Health insurance policy numbers, claims, and other information including medical history
The security notice doesn’t make clear whether the data breach affected any customer information, but information reported as stolen seems to pertain to employees. Affected individuals should receive a notice from the company, which includes an offer for one free year of Kroll identity monitoring services.

PBV instructs all affected individuals to change their usernames, passwords, and security questions for accounts associated with the company. The company also advises affected individuals to take similar steps for any unrelated accounts that share the same usernames, passwords, and security questions, which is good advice given the prevalence of credential stuffing attacks. Affected individuals should also consider implementing credit freezes and fraud alerts to protect against various forms of identity fraud.